/
Updating DNS For CCCApply Email

Updating DNS For CCCApply Email

Owned by Tom Potter
Last updated: Aug 06, 2021




Implementation

CCCApply is a hosted application used by the California Community Colleges (CCCs) and their students. Any CCCApply email-related task is actually sent by the California Community Colleges Technology Center (CCCTC) servers on behalf of the colleges. Email-related tasks include all college-implemented, email message rules (configured by the college in the CCCApply Administrator).

For CCCApply email sent as (admissions@yourdomain.edu) to be received by many commercial email providers (particularly AOL, Hotmail, Charter, Comcast, Yahoo, etc.) you need a valid Sender Policy Framework (SPF) record in your college's DNS that ‘authorizes’ our email servers to send messages on your domain’s behalf. Commercial email service providers check this SPF record to verify that the sending server is known and authorized to send email on behalf of your domain. This SPF lookup attempts to prevent spam, spoofing, and phishing of legitimate email by unauthorized hosts. 

If a CCCApply email message fails an SPF lookup the message will (in a best case scenario) be sent to a recipient's spam folder. More frequently the email message is simply rejected or deleted with no further notice, an increasingly common and necessary practice to combat fraud and spam. 

Required DNS Records

The following DNS records are required

  • Domain Validation Provides authorization to send mail from your domain on CCCApply servers.
  • SPF (Sender Policy Framework) Shows a list of servers that should be considered allowed to send mail for a specific domain, and is a DNS TXT entry.
  • DKIM (DomainKeys Identified Mail) Verifies that the message's content is trustworthy, meaning that the message wasn't changed from the moment it left the initial mail server. This helps prevent forged email headers.

Updating Your DNS For Email

To complete configuring your domain to allow CCCAPPLY to send mail on your behalf, you must create or update your domain's verification record, SPF record, and create DKIM records.

Locate your domain name in this page.

The DNS record has 3 zone records that need creation:

  • (1) TXT Name and value. This validates AWS has permission to send on behalf of the domain. This value is only retrived by AWS and is not part of email transactions. 
  • (3) DKIM records. Email servers use these records to verify the email has not been tampered with in transit.

Create Domain Authorization Record

Use the following steps to create a domain authorization record. The name and value are located in the "Domain verification record set" section of the domain file you downloaded in the "Updating Your DNS For Email" section above.

Click here for additional information on specific Domain DNS Zone editors
  1. Open the DNS records for your College domain. 

  2. Create a TXT record.


    Depending on the editor you are using to create the record, the domain name may already be displayed as part of the "Name". In this case you would only enter "_amazonses. When saved, the name should be
    _amazonses.<your domain name>
    If it displays
    _amazonses.<your domain name><your domain name>
    you will need to correct the entry so the domain is not repeated twice.

  3. Enter the "Record name" from the downloaded domain file in your DNS file's name field.

  4. Enter the "Record Value" from the downloaded domain file in your DNS file's value field.

  5. Save the record. Your records should now have an _amazonses.<your domain> TXT record.

Edit Your SPF Record

Do not delete original CCCApply SPF records until notified by CCCTC

Use the following steps to edit your SPF record.

  1. Open the DNS records for your College domain (if not already open). 
  2. Locate the SPF TXT record for editing. It should have the same name as your domain, and the SPF TXT type record should have a value that begins with v=spf. (Exp. "v=spf1 a mx include:spf.protection.outlook.com ~all")

  3. Add "include:amazonses.com" in the value field of your SPF record.

    For example, your SPF record might look something like this after adding the ‘include’ statement: 

    "v=spf1 mx ip4:8.8.8.8 include:outlook.com include:amazonses.com ~all"

    You will probably want to end your SPF record with the “~all” (SoftFail) qualifier to increase the probability of a delivery warning message in the event of a delivery failure. A hard fail (-all) will usually result in the rejection or deletion of potentially non-complaint messages.

  4. Save the record.


    To test your SPF record, see SPF Recursion help.

Create DKIM CNAME Records

To create your DKIM settings, you will create three new records in DNS under your domain. The Name and Value for each of the three records are located in the "DKIM record set" section of the domain file you downloaded in the "Updating Your DNS For Email" section above.

  1. Use your domain editor to select your domain and create a CNAME entry.
  2. Copy first DKIM record's "Record Name" from the downloaded domain file and paste/enter it into place for the Name.
  3. Copy the first DKIM record's "Record Value" from the downloaded domain file and paste/enter it into place for the Value.
  4. Save the settings.
  5. Repeat steps 1 through 4 for the remaining two DKIM record set records in your downloaded domain file.

Testing Your DNS Records

The following are commands run from a bash shell. Commonly available on Mac or Linux command line.

Test AWS Validation

Replace the domain name where appropriate. An empty result indicates it is not configured or has not propagated across DNS servers yet.

for i in `dig paloverde.edu NS +short`; do dig @${i} _amazonses.paloverde.edu TXT +short; done

Test DKIM Records

Replace the domain name where appropriate. Replace the string after @${i}  with the DKIM Name value. This will need to be repeated for all three DKIM records. An empty result indicates it is not configured or has not propagated across DNS servers yet. 

for i in `dig paloverde.edu NS +short`; do dig @${i} s3c3z5ramza7wfjkzda2wf7uqnswate6._domainkey.paloverde.edu CNAME +short; done

Notify CCCApply Administrators

Once your domain DNS settings have been updated, please send an email to apply-migration@ccctechcenter.org providing:

  1. The domain name.
  2. Statement that the DNS record has been updated.


In order for CCCApply to process your email, we must be notified once updated so that we may submit for Authorization. This is only required once when moving to new email services.

Additional DNS Help

DNS Zone Editing

SPF Recursion

The SPF RFC specifies a maximum of 10 DNS lookups for items included in your SPF record. Ref: https://tools.ietf.org/html/rfc7208#section-4.6.4 You may test your SPF record online from various websites. One such tool is available at https://www.dmarcian.com/spf-survey/. Any test failures will be displayed in red.

Reference

http://docs.aws.amazon.com/ses/latest/DeveloperGuide/verify-domain-procedure.html

http://docs.aws.amazon.com/ses/latest/DeveloperGuide/spf.html

http://docs.aws.amazon.com/ses/latest/DeveloperGuide/dns-txt-records.html

DNS Zone records.

Keywords: ses validation dkim

Related content

Student Success Suite Release 1.0 Release Notes
Student Success Suite Release 1.0 Release Notes
CCCApply Public Documentation
Read with this
Update DNS Server for CCCApply Email Rules
Update DNS Server for CCCApply Email Rules
CCCApply Public Documentation
More like this
CCCApply Email SES Domains
CCCApply Email SES Domains
Technical FAQs
More like this
How to update DNS - Active Directory
How to update DNS - Active Directory
Technical FAQs
More like this
CCCApply Release 6.15.0 Summary Notes
CCCApply Release 6.15.0 Summary Notes
CCCApply Public Documentation
More like this
CCCApply Release 6.16.0 Summary Notes
CCCApply Release 6.16.0 Summary Notes
CCCApply Public Documentation
More like this